The operators behind this campaign, which Trend Micro’s security researchers refer to as Heatstroke, do not employ a single landing page, and instead attempt to mimic legitimate websites to trick victims into thinking nothing is amiss.

Furthermore, while the phishing kit’s content is forwarded from another location, obfuscation is used to make it appear as if it was on the landing page itself. On top of that, the page is constantly changing, thus being able to bypass content filtering.

The researchers also discovered that the phishing kit can block certain IP ranges, crawling services, and even security tools. Thus, if a connection is attempted from a blacklisted IP, service, or location, an HTTP 404 error will be served instead, or content is forwarded from somewhere else.

In an attempt to bypass firewalls, the first page of the phishing kit is generated by a PHP script encoded in Base64, Trend Micro also notes.

The security researchers also observed another group using the kit for their own phishing attacks, and the kit’s developers have assigned this group its own API key, suggesting that the cybercriminals employ a phishing-as-a-service business model.

The campaign attempts to appear legitimate by leveraging domains based on the victim’s country of origin. In some cases, this domain used to belong to a legitimate business and was later put up for sale.

Credentials stolen in these attacks are sent to an email address and steganography (hiding or embedding data into an image) is employed for that. Trend Micro says it has captured two similar phishing kits, targeting Amazon and PayPal users.

In both cases, the tactics and techniques were similar, including the website hosting the phishing kit, the type of stolen information, and the employed masking techniques.

“Both kits also seemingly end in the same user verification phase. These similarities could mean that they have the same origin. The similarity could also be buoyed by the timing and scope of the attacks that used these kits, as they were delivered to the same victim,” Trend Micro notes.

The attack starts with a fake account verification email that is sent from a legitimate domain to avoid being blocked by spam filters. Currently, PayPal and Amazon users are targeted, but code in the phishing kit’s htaccess file reveals that customers of eBay, Google, Apple, Internet.bs, and other services are future targets.

The first-stage website is designed to redirect the victim to the phishing kit’s site, which performs user validation, checking if the visitor is a bot, web crawler, or security tool like Nessus. It also checks visitors’ IP addresses using an online anti-fraud service.

Next, the user is diverted to a third-stage website, which performs the actual phishing. The user is asked to fill information fields for email credentials, credit card details and other personally identifiable information (PII).

“Once the user fills all the information fields and clicks the last button, nothing will happen. If the user tries to visit the website with the phishing kit with the same IP and settings, the website will not load the phishing kit,” Trend Micro explains.